Telerik Forums / Kendo UI for jQuery
This is a migrated thread and some comments may be shown as answers.

AntiForgery Question

5 Answers 172 Views
Data Source
This is a migrated thread and some comments may be shown as answers.
John
Top achievements
Rank 1
John asked on 18 Jun 2013, 08:47 AM

I have a single page with a tabstrip of grids. I use popup editing to perform crud operations in each grid.

In my grid views I am sending the AntiForgeryToken via the data transport.
For example:
Create(create => create.Action("CreateObject", "Editor").Data("sendAntiForgery"))
which calls:
function sendAntiForgery() {
    return { "__RequestVerificationToken": $('input[name=__RequestVerificationToken]').val() }
}

In my EditorTemplates (from inside the Html.BeginForm()) I am calling @Html.AntiForgeryToken().

This was all working perfectly until I made a small change and broke everything. 
I removed a call to @Html.AntiForgeryToken() from a simple form in my main view. (Nothing to do with the tabstrip or grids). All of my CRUD operations in my grids were now failing - it was telling me the token wasn't passed. 

It turns out, if I simply placed a Html.AntiForgeryToken() in my main view somewhere it fixed everything - I could even remove the Html.AntiForgeryToken from my editor templates.

This doesn't seem right. Can somebody explain this behaviour?

5 Answers, 1 is accepted

Sort by
0
Daniel
Telerik team
answered on 20 Jun 2013, 08:01 AM
Hello John,

The selector finds any AntiForgeryToken input on the page and you should have at least one Html.AntiForgeryToken helper on the page. It does not matter if it is placed in the editor template or in the layout. The input will still be found and the token will be added to the request.

Regards,
Daniel
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
John
Top achievements
Rank 1
answered on 20 Jun 2013, 08:11 AM
Thanks Daniel,

It was my understanding that Html.AntiForgeryToken() was required inside the @using(Html.BeginForm()){} block .

Regards
0
Daniel
Telerik team
answered on 24 Jun 2013, 07:00 AM
Hello John,

If you are posting the data with a form then yes, it is required to add the AntiForgeryToken in the form so that it will be sent. In this case however the data is posted via Ajax and you are dynamically adding the token to the data so it does not matter where is the helper placed.

Regards,
Daniel
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Anurag
Top achievements
Rank 1
answered on 31 Oct 2013, 07:02 PM
Adding helper methods anywhere in the page works for the main grid but if we are creating nested grids and they are inside a a script tag, then it doesnt work. Is the only option at that time is to pass through data or is there another way where it can work for all the nested grids (which are in a tab)?

Anurag
0
Daniel
Telerik team
answered on 04 Nov 2013, 09:28 AM
Hello Anurag,

The same approach should be used when the Grid is used in a detail template. Could you clarify what exactly is not working? The token is not posted, there is a JavaScript error or something else? It would be helpful if you could provide the code that you are using so I can check the setup.

Regards,
Daniel
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
Tags
Data Source
Asked by
John
Top achievements
Rank 1
Answers by
Daniel
Telerik team
John
Top achievements
Rank 1
Anurag
Top achievements
Rank 1
Share this question
or